How unfortunate
Just as the world's largest advertising agency (WPP) moved everyone from Webex to Zoom.
(Spawn of Satan since we lack a Schadenfreude icon)
Video-conferencing outfit Zoom had a vulnerability in its URL scheme that miscreants could exploit to eavesdrop on private meetings. That's according to infosec biz Check Point, which says it found snoops could brute-force their way into Zoom-hosted virtual meetings that were not secured by a password. Hackers would just need …
In fairness to Zoom, every other Conference service I've ever used had the same problem where only a conference ID was widely used and no additional authentication of who had dialled in. Like Zoom, you could add a password, most meeting organisers chose not to.
Security by obscurity as it were...
Well a password is kind of just obscurity too, especially one like this that is shared with everyone and never changed.
The problem was that a 4% hit rate wasn't nearly obscure enough. They needed to be using a lot more than 11 digits and have something in place to block people trying to brute force it.
At several companies I have worked at I've at times called into small meetings a second time from an unknown number (e.g. my home phone). After some time I would ask in the meeting whom that unknown number belonged to and whether we might have an someone eavesdropping.
Only once did a manager remove that unknown caller from the call...
This post has been deleted by its author
I'm embarrassed that the penny did not drop for me on this one. If they were using 64-bit ids, the hit rate would be in the dirt. If they force them to rotate every month or so, even found valid ids would not last. Now, everything requires a password. How many of those will be '123'?
The password to a meeting is nothing more and nothing less than an unstructured extension to the meeting id. Pretending otherwise will not improve the situation.
OK so correct me if i am wrong, but if you are discussing highly sensitive commercial or legal issues, the meeting will be secured, so the 4% they get into are just the crap, cant be arsed to come to where you are or lug this big bit of kit meetings that dont reveal anything.